Global Outbreak of WannaCry Ransomware (ETR-2017-C020)

E Com Security Solutions has been closely monitoring the latest ransomware outbreak that has affected several organizations around the world – which is being commonly referred to as WCRY or WannaCry. Based on our initial analysis of this ransomware – it appears to be taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “Eternalblue”) associated with the Shadow Brokers tools release

Ransomware is serious threat to business, it is a special kind of virus used by hackers to lock access to important files on user’s computers; and they ask for money to unlock the files again. Cyber extortionists trick victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files. The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access.

EXECUTIVE SUMMARY:

Reports of malware attacks in Spain began around 8:00am EDT on 12 May 2017. The attacks were ransomware with file extensions of the encrypted files ending in .WNCRY. Shortly thereafter, samples became available of the malware and it was confirmed to be WannaCry using an SMB exploit and worm techniques. This is a new version of the WannaCry malware being called WannaCry 2.0 by threat researchers.

By 1:00pm EDT the attacks were being reported in the UK against the NHS with some hospitals having lost the use of telephones and computers. The full scale of the attack and the initial infection vector remains unknown at this time.

THREAT TECHNICAL DETAILS:

Some samples show the WannaCry malware with no AV detection and others have detection by a majority of the AV vendors. There is a Visual Basic Script file (VBS) packaged with some binaries hinting at possible initial infection vectors being emails with linked or attached Microsoft Office documents.

Once the malware is installed, it encrypts files using AES and RSA encryption. More details on the delivery and infection mechanisms will be provided as details become available.

The malware is using at least one SMB vulnerability in its attack. SMB had a number of known issues going back as far as MS08-068. A named attack called Badlock was reported in 2016 also targeting SMB and recently Microsoft released an additional Vulnerability Note in February 2018, VU#867968, about the possibility of a denial of service attack also using SMB. It has been confirmed that MS17-010 vulnerability for SMB is being used.

The bitcoin addresses for payment of the ransom have been hard-coded into the malware samples.

IMPACT:

There is an active attack in the wild of the WannaCry/WCry ransomware currently. It appears to be global in scope affecting customers in the United States, United Kingdom, Taiwan, Russia, Turkey, Kazakhstan, Indonesia, Vietnam, Japan, Spain, Germany, Ukraine, and the Philippines. The full scope of the attack is currently unknown. It has been seen targeting communications and healthcare organizations but the full list of targets remains unknown.

1. Be careful while clicking on links coming over emails and do not open emails attachments coming over unknown senders. Pdf, word, excel, power point, zip and Rar files are most common to carry Ransomware.
2. Ensure the automatic updates are enabled on the systems. Install Microsoft Patch MS17-010 which addresses SMB vulnerability used in this WCRY Ransomware attack.
Ref: https://technet.microsoft.com/library/security/MS17-010
3. Ensure that the system is running with latest version of Antivirus along with updated Signatures.
4. Ensure you have backup of your important files.
5. Do not download software from unknown sites
6. Do not logon as “Administrator” on your computer for regular / daily use.
7. Do not connect to unknown Wifi networks and turn off Wifi when not needed.
8. Prevent using unknown USB drives – they may contain malware.
9. Disable Macros in MS office products.

BEST PRACTICES THAT CAN BE FOLLOWED BY ORGANIZATIONS IN THE NETWORK LEVEL:

1. Conduct Periodic penetration tests on the applications and network to identify and remediate the vulnerabilities.
2. Develop, institute and practice employee security awareness programs for identifying scams, malicious links, and attempted social engineering.
3. Lock down mapped network drives by securing them with a password and access control restrictions. Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.
4. Establish a Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing which is adapted by most Ransomware to reach corporate email boxes.
5. Restrict execution of powershell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
6. Isolate communication to ports 137 and 138 UDP and ports 139 and 445 TCP in organizations’ networks. It is strongly recommended not to open following ports to the external world on the network perimeter firewall.
7. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
8. The malware uses TOR (THE ONION ROUTER) hidden services for command and control (C&C) connection. Monitor the encrypted communication from internal to external network at the Network Perimeter devices.

If you suspect any abnormal behaviour with your systems or suffering with a security breach or want to evaluate your security posture, contact the incident response team at [email protected]